service/matrix-bot: migrate matrix-hook from go-neb

2025-07-05 09:19:28 +02:00 · 2025-06-07 11:33:56 +02:00 · 2025-06-07 11:33:56 +02:00 · 6d1d3b5257
commit 6d1d3b5257
parent cf4bec4913
4 changed files with 37 additions and 51 deletions
--- a/machines/newton/secrets.yaml
+++ b/machines/newton/secrets.yaml
@ -27,14 +27,10 @@ sso:
        password-hash: ENC[AES256_GCM,data:4yOMOg3/RsijtXC7h73sIk3HDPq83xmSY7AaLeUbtPVZzjjZ/Qp+YiXpgL0fVsio1Pic3HyAzeVlWg0E,iv:23CdJQAhtpgrUZ1jVKiKYfgw5jQNVN6413Ew8ryJH6w=,tag:bds2Yd18gFtVDtgLkxMGkQ==,type:str]
        totp-secret: ENC[AES256_GCM,data:1fh22SICF19Svg6rLwUYs8oIBr0FV9dG30WWpPN751VbL104nQZcKnszbDox0hwuuotY7G8twYI=,iv:RrkNlJ9us8LDeQQUuexB1yvvYIbSElsB3VOm/4fBHzY=,tag:uv6Fwtk42atINufook7aAw==,type:str]
 matrix-bot:
-    password: ENC[AES256_GCM,data:LruowBkvNx2MgkChUvBFBl62zH39YzHyrNW6cfaUlzGr0DQ6WP5kFiju88VTVfje40jskhQsYqCabH5yrFaoQA==,iv:1fIRRVNNpLOGLQekACgmDdwyYRuryqjdTLOGGS+bVD8=,tag:CcFFw27rj7X9mtSvQj5pHw==,type:str]
+    password: ENC[AES256_GCM,data:RmEcNdQXEQoFYRdDC4fP7+b59aqrWh39YPVI3Ej7MRlMVdUGjmLW4pjhsq98TTqaLefwX0RYW7AD6wo0ua1wLA==,iv:wZF3xTdM4XOIwaweOoHW9d52atjI3zFiQ19dVDj9BLw=,tag:m4KGfgQMKtRi266fovXQSA==,type:str]
 acme:
    inwx: ENC[AES256_GCM,data:tu3pdI2fAQPAwQNdIIk10Kkl0xBPBLx592UlYYEXxJX0YGddAhGMwDUqKTh/B5k9WW11cyoLoeTMnZPMzD15V1Qj,iv:UbbauJBjr3O4XnKRL9Pc3PdRGJqAhqO0PDNkvpyXH2o=,tag:YRVtRo8D0KLVCtWukW7GWw==,type:str]
 sops:
    kms: []
    gcp_kms: []
    azure_kv: []
    hc_vault: []
    age:
        - recipient: age1hf8m9upp00dr7qv2kmqdr50fpvd9ejzkfu8yknqnuda2aas2tvrs4l3u7m
          enc: |
@ -54,8 +50,7 @@ sops:
            NmNwT3N5UEVabFdLTDhseFRjeVZaWFkKL3HGFqfttU1tXY4OhnIr1ABFsHB0R0CX
            s6wxb0ilut32ijjtnGXMIIa9y6XsMTpYskTb9FdRP9VnQQGVrMfdew==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-04-01T20:14:13Z"
+    lastmodified: "2025-06-06T18:36:39Z"
-    mac: ENC[AES256_GCM,data:TYsCSFADZkIqN+CggAoyBLHYBnF8XG9c7zGzsjyDG35Xty/JP6K6pC/7IPUEKtvStm0hUCS5seil5gTNmBBIgynVI3xTqhzIQ5UJ6QgxbVIcKR9j3lXF0FpuVSwh8p2Q6jL3LRM3nItCvtYYdw2CFL7pBSuk5BKkPVWbb1n1oyU=,iv:xYZSTv25Af0XSO0SpbwA3F/ORYOdDCemSS8uyFTklXA=,tag:y03I0hQweArU83l1nKFxfw==,type:str]
+    mac: ENC[AES256_GCM,data:cXcCbvl+KgXniJUF70yH2PcQanptrBoY36FdtJjWz5TiNlPNbJCXprmrnetb3Cjwn9LzT+yxF29ZqLP4U5Z4dqfyFHUVHKugiAtvQFYPWiux8Tx9x582RS+R6LXtpZaxWY2Ho30kO/INI3n9FRkdwcCWvgbS5G0y4a8v/tbEhTU=,iv:ACa221uyygkE1yWgA1Eps0oTjd67z9nO12X5x3q1Vyo=,tag:YtydRTcualGTTX920iZVtA==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.9.4
+    version: 3.10.2
--- a/machines/newton/services.nix
+++ b/machines/newton/services.nix
@ -28,9 +28,7 @@ in
    "grafana/password" = {
      owner = config.users.users.grafana.name;
    };
-    "matrix-bot/password" = {
+    "matrix-bot/password" = { };
      owner = config.systemd.services.go-neb.serviceConfig.User;
    };
  };
  # List services that you want to enable:
--- a/modules/services/alertmanager/config.nix
+++ b/modules/services/alertmanager/config.nix
@ -17,7 +17,7 @@
      email_configs = [ { to = "server@buehler.rocks"; } ];
      webhook_configs = [
        {
-          url = "http://localhost:4050/services/hooks/YWxlcnRtYW5hZ2VyX3NlcnZpY2U";
+          url = "http://localhost:4050/alert";
          send_resolved = true;
        }
      ];
--- a/modules/services/matrix-bot/default.nix
+++ b/modules/services/matrix-bot/default.nix
@ -1,5 +1,9 @@
-# adjusted from: https://github.com/NixOS/nixos-org-configurations/blob/master/delft/eris/alertmanager-matrix-forwarder.nix
+{
-{ config, lib, ... }:
+  config,
  lib,
  pkgs,
  ...
 }:
 let
  cfg = config.my.services.matrix-bot;
 in
@ -14,7 +18,10 @@ in
    };
    PasswortFile = mkOption {
      type = types.path;
-      description = "Password for the bot.";
+      description = ''
        Password for the bot.
        format: MX_TOKEN=<token>
      '';
      example = "/run/secrets/password";
    };
    RoomID = mkOption {
@ -26,41 +33,27 @@ in
  };
  config = lib.mkIf cfg.enable {
-    # TODO: since no encryption is used, this is not a major problem, but migration is advised
+    systemd.services.matrix-hook = {
-    nixpkgs.config.permittedInsecurePackages = [ "olm-3.2.16" ];
+      description = "Matrix Hook";
-
+      after = [ "network.target" ];
-    # Create user so that we can set the ownership of the key to
+      wantedBy = [ "multi-user.target" ];
-    # it. DynamicUser will not take full effect as a result of this.
+      environment = {
-    users.users.go-neb = {
+        HTTP_ADDRESS = "[::1]";
-      isSystemUser = true;
+        HTTP_PORT = "4050";
-      group = "go-neb";
+        MX_HOMESERVER = "https://matrix.org";
        MX_ID = cfg.Username;
        MX_ROOMID = cfg.RoomID;
        MX_MSG_TEMPLATE = "${pkgs.matrix-hook}/message.html.tmpl";
      };
-    users.groups.go-neb = { };
+      serviceConfig = {
-
+        EnvironmentFile = [ cfg.PasswortFile ];
-    services.go-neb = {
+        Type = "simple";
-      enable = true;
+        ExecStart = lib.getExe pkgs.matrix-hook;
-      baseUrl = "http://localhost";
+        Restart = "always";
-      secretFile = cfg.PasswortFile;
+        RestartSec = "10";
-      config = {
+        DynamicUser = true;
-        clients = [
+        User = "matrix-hook";
-          {
+        Group = "matrix-hook";
            UserId = cfg.Username;
            AccessToken = "$CHANGEME";
            DeviceID = "KIYFUKBRRK";
            HomeServerUrl = "https://matrix-client.matrix.org";
            Sync = true;
            AutoJoinRooms = true;
            DisplayName = "Stunkymonkey-Bot";
          }
        ];
        services = [
          {
            ID = "echo_service";
            Type = "echo";
            UserId = cfg.Username;
            Config = { };
          }
        ];
      };
    };
  };